Rational actors will just set themselves as referral

[code423n4]

Handle

cmichel

Vulnerability details

Vulnerability Details

When depositing, a referral can be chosen and the only check is:

account != address(0) && referral != address(0) && referrals[account] == address(0)

One can refer themselves

Impact

(From the contracts that are part of this repo, it's not immediately clear what the referrals are used for.) If they are used for anything, rational actors will always refer themselves to maximize profits making the referral system useless.

Recommended Mitigation Steps

Whitelist big influencers that are allowed to be used as referrals to avoid everyone referring themselves or another account they control.

[kitty-the-kat]

not an issue/non-critical Makes no difference, referrals are calculated offchain and not used for anything on chain

[ghoul-sol]

Even if this is calculated off-chain, technically being able to refer ourselves is an issue. Even offchain this needs to be filtered out which is extra work. I'm keeping this as low risk.